Colonial Pipeline Attack isn't an Anomaly

Colonial Pipeline ransomware attack is not an anomaly

Malvertising is an overlooked ransomware distribution tool

Another day, another ransomware incident. The weekend was awash in stories about a large-scale ransomware attack affecting Colonial Pipeline, a company responsible for delivering approximately 45% of fuel consumed on the East Coast. 

What makes this attack different is its potential to immediately disrupt the lives of millions of innocent US consumers—a difference that should inspire a new urgency to hardening networks against ransomware attacks. Despite the $132B in cybersecurity spent in 2020, these attacks keep happening. The big question: why?

"Left-of-breach” vs. “Right-of-breach”

Media coverage of ransomware attacks is typically focused on their harmful impact—from the operational impact of holding systems hostage to the sensitive data breaches that occur should a ransom payment never materialize. This “right-of-breach” mentality does not help thwart future attacks whereas a “left-of-breach mentality” shifts the conversation to understanding the cause of the attack.

We rarely hear enough about the mechanics of how ransomware penetrates networks. Some stories reference network intrusion via unauthorized database access while others reference email. There’s a third vector: Malvertising.

Malvertising: an evolving ransomware vector

A portmanteau of malware and advertising (aka, "malicious advertising"), malvertising uses the dynamic digital advertising ecosystem (e.g., the open programmatic marketplace) to target consumers with malicious content. Bad actors covertly inject malicious code into creatives (images, videos), tags and landing pages through digital technology partners (AdTech), or directly onto publisher websites.

Malvertising takes many different forms, including redirects, phishing, e-skimming and scams. Two specific forms enable ransomware attacks: software install prompts (e.g., potentially unwanted programs or adware) and fake antivirus alerts (e.g., urgent popups signaling potential device infection). Both methods direct the user to download and install software that paves the way for future compromise featuring a host of consumer-harming activity like phishing, credit card theft, personal data scraping and, yes, ransomware, too. 

Ransomware is rarely attributed to malvertising, yet it is evolving into a significant delivery vector representing 10% of incidents detected by The Media Trust since 2020. The largest we’ve tracked to date is AfterShock-3PC, in which users were presented with a ransomware pop-up message that threatened users with file encryption if they failed to renew their antivirus package within 15 minutes. 

That certainly won’t be the last example, and malvertising is continually advancing.

The cost of ransomware is greater than you think

A majority of security breaches are financially motivated. The costs are immediate (lost revenue, remediation, legal fees), with future impacts on long-term revenue and profitability. While 25% of consumers across North America, United Kingdom, France and Germany would abandon a product after a single ransomware-related service disruption, a further 59% would avoid companies hit by cyber attacks. And just think of the cybersecurity insurance premium hike.

While numerous stories emerge over the next few days (and weeks), I want you to think about prevention: what enterprises can do to avoid these attacks in the future. I say it’s time to adopt a “left-of-breach” mentality and focus our attention on the cause of these attacks. 

The first step is hardening our public facing websites and mobile apps—whether ad-supported or not—from rogue code, especially that known to allow consumer device infection.